Search criteria
8 vulnerabilities found for git-proxy by finos
CVE-2025-54586 (GCVE-0-2025-54586)
Vulnerability from cvelistv5 – Published: 2025-07-30 21:14 – Updated: 2025-07-31 17:55
VLAI?
Title
GitProxy is susceptible to a hidden commits injection attack
Summary
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2.
Severity ?
7.1 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:40:01.971988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:46.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren\u2019t pointed to by any branch. Although these \u201chidden\u201d commits never show up in the repository\u2019s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High\u2011impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T21:14:41.238Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"
},
{
"name": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-v98g-8rqx-g93g",
"discovery": "UNKNOWN"
},
"title": "GitProxy is susceptible to a hidden commits injection attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54586",
"datePublished": "2025-07-30T21:14:41.238Z",
"dateReserved": "2025-07-25T16:19:16.094Z",
"dateUpdated": "2025-07-31T17:55:46.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54585 (GCVE-0-2025-54585)
Vulnerability from cvelistv5 – Published: 2025-07-30 20:17 – Updated: 2025-07-30 20:30
VLAI?
Title
GitProxy is vulnerable to a new branch approval exploit
Summary
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54585",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:30:12.139864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:30:27.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:17:20.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-39p2-8hq9-fwj6",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a new branch approval exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54585",
"datePublished": "2025-07-30T20:17:20.844Z",
"dateReserved": "2025-07-25T16:19:16.094Z",
"dateUpdated": "2025-07-30T20:30:27.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54584 (GCVE-0-2025-54584)
Vulnerability from cvelistv5 – Published: 2025-07-30 20:01 – Updated: 2025-07-30 20:19
VLAI?
Title
GitProxy is vulnerable to a packfile parsing exploit
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
Severity ?
CWE
- CWE-115 - Misinterpretation of Input
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54584",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:18:53.257366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:19:21.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:01:16.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv"
},
{
"name": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-xxmh-rf63-qwjv",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a packfile parsing exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54584",
"datePublished": "2025-07-30T20:01:16.338Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:19:21.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54583 (GCVE-0-2025-54583)
Vulnerability from cvelistv5 – Published: 2025-07-30 19:59 – Updated: 2025-07-30 20:13
VLAI?
Title
GitProxy bypasses approvals when pushing multiple branches
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54583",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:11:53.549022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:13:10.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:00:01.652Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-qr93-8wwf-22g4",
"discovery": "UNKNOWN"
},
"title": "GitProxy bypasses approvals when pushing multiple branches"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54583",
"datePublished": "2025-07-30T19:59:44.317Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:13:10.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54586 (GCVE-0-2025-54586)
Vulnerability from nvd – Published: 2025-07-30 21:14 – Updated: 2025-07-31 17:55
VLAI?
Title
GitProxy is susceptible to a hidden commits injection attack
Summary
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2.
Severity ?
7.1 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:40:01.971988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:46.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren\u2019t pointed to by any branch. Although these \u201chidden\u201d commits never show up in the repository\u2019s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High\u2011impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T21:14:41.238Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"
},
{
"name": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-v98g-8rqx-g93g",
"discovery": "UNKNOWN"
},
"title": "GitProxy is susceptible to a hidden commits injection attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54586",
"datePublished": "2025-07-30T21:14:41.238Z",
"dateReserved": "2025-07-25T16:19:16.094Z",
"dateUpdated": "2025-07-31T17:55:46.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54585 (GCVE-0-2025-54585)
Vulnerability from nvd – Published: 2025-07-30 20:17 – Updated: 2025-07-30 20:30
VLAI?
Title
GitProxy is vulnerable to a new branch approval exploit
Summary
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54585",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:30:12.139864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:30:27.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:17:20.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-39p2-8hq9-fwj6",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a new branch approval exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54585",
"datePublished": "2025-07-30T20:17:20.844Z",
"dateReserved": "2025-07-25T16:19:16.094Z",
"dateUpdated": "2025-07-30T20:30:27.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54584 (GCVE-0-2025-54584)
Vulnerability from nvd – Published: 2025-07-30 20:01 – Updated: 2025-07-30 20:19
VLAI?
Title
GitProxy is vulnerable to a packfile parsing exploit
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
Severity ?
CWE
- CWE-115 - Misinterpretation of Input
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54584",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:18:53.257366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:19:21.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:01:16.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv"
},
{
"name": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-xxmh-rf63-qwjv",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a packfile parsing exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54584",
"datePublished": "2025-07-30T20:01:16.338Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:19:21.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54583 (GCVE-0-2025-54583)
Vulnerability from nvd – Published: 2025-07-30 19:59 – Updated: 2025-07-30 20:13
VLAI?
Title
GitProxy bypasses approvals when pushing multiple branches
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54583",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:11:53.549022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:13:10.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:00:01.652Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-qr93-8wwf-22g4",
"discovery": "UNKNOWN"
},
"title": "GitProxy bypasses approvals when pushing multiple branches"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54583",
"datePublished": "2025-07-30T19:59:44.317Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:13:10.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}